Analysis

  • max time kernel
    221s
  • max time network
    225s
  • platform
    windows7_x64
  • resource
    win7-20220718-en
  • resource tags

    arch:x64arch:x86image:win7-20220718-enlocale:en-usos:windows7-x64system
  • submitted
    20-07-2022 08:57

General

  • Target

    7e37d028789ab2b47bcab159da6458da2e8198617b0e7760174e4a0eea07d9c9.msi

  • Size

    224KB

  • MD5

    6892679f8a4b438c582c9954e15acd19

  • SHA1

    546bae92165363acd3e0aaef964cc02ec2a2e67d

  • SHA256

    7e37d028789ab2b47bcab159da6458da2e8198617b0e7760174e4a0eea07d9c9

  • SHA512

    064ece5fe73a356d9078e13134288e144288bd9e9d8d06cdd72f3aaf4cc9d397b5443be67e2d07f78a282d875187a9679e19506ae580d84c9a44142da366f108

Score
10/10

Malware Config

Signatures

  • Matanbuchus

    A loader sold as MaaS first seen in February 2021.

  • Blocklisted process makes network request 3 IoCs
  • Loads dropped DLL 1 IoCs
  • Enumerates connected drives 3 TTPs 48 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Windows directory 10 IoCs
  • Modifies data under HKEY_USERS 43 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of WriteProcessMemory 15 IoCs

Processes

  • C:\Windows\system32\msiexec.exe
    msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\7e37d028789ab2b47bcab159da6458da2e8198617b0e7760174e4a0eea07d9c9.msi
    1⤵
    • Blocklisted process makes network request
    • Enumerates connected drives
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    PID:1500
  • C:\Windows\system32\msiexec.exe
    C:\Windows\system32\msiexec.exe /V
    1⤵
    • Blocklisted process makes network request
    • Enumerates connected drives
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1548
    • C:\Windows\system32\regsvr32.exe
      regsvr32.exe -n -i:"Install" C:\Users\Admin\AppData\Local\AdobeFontPack\main.dll
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1132
      • C:\Windows\SysWOW64\regsvr32.exe
        -n -i:"Install" C:\Users\Admin\AppData\Local\AdobeFontPack\main.dll
        3⤵
        • Loads dropped DLL
        PID:1484
    • C:\Windows\system32\wscript.exe
      wscript.exe C:\Users\Admin\AppData\Local\AdobeFontPack\notify.vbs
      2⤵
        PID:1644
    • C:\Windows\system32\vssvc.exe
      C:\Windows\system32\vssvc.exe
      1⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:924
    • C:\Windows\system32\DrvInst.exe
      DrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot19" "" "" "61530dda3" "0000000000000000" "0000000000000494" "0000000000000570"
      1⤵
      • Drops file in Windows directory
      • Modifies data under HKEY_USERS
      • Suspicious use of AdjustPrivilegeToken
      PID:1968

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F2E248BEDDBB2D85122423C41028BFD4

      Filesize

      1KB

      MD5

      78f2fcaa601f2fb4ebc937ba532e7549

      SHA1

      ddfb16cd4931c973a2037d3fc83a4d7d775d05e4

      SHA256

      552f7bdcf1a7af9e6ce672017f4f12abf77240c78e761ac203d1d9d20ac89988

      SHA512

      bcad73a7a5afb7120549dd54ba1f15c551ae24c7181f008392065d1ed006e6fa4fa5a60538d52461b15a12f5292049e929cffde15cc400dec9cdfca0b36a68dd

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

      Filesize

      340B

      MD5

      bd5fe4e638da1701ce6c0a04639f26f5

      SHA1

      a3fbe5eedfb710fce62d580e90e4c06fbedec5a2

      SHA256

      8f3a2c638ecb3cf09fd4ea4bacfbf8f9fbf4f45fba2e4cd9faad0a67f69a0ad0

      SHA512

      6c44f5f2fc2353b4b2aaf90b65e41d222c55c5c6ee326c594b0f7b86900aabbf9ad92a4a4cc2a13e63fc5acb4d775b65fde8bc579565e08e91fbbc82e930910f

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F2E248BEDDBB2D85122423C41028BFD4

      Filesize

      254B

      MD5

      9894fb38a07a8ce643c6a58f11b1e053

      SHA1

      7d0b9a8f15eaa338bb7aced4faf49ed7d5299e4b

      SHA256

      007a6c5433c58fc0581596931ada0d2eded1e6dd53c4245bb4ad03e4b8337f43

      SHA512

      f00d6a97fe8dc4e7f20217806a03bbd6b72b5798ea15cf677bfac26d3386999203e9b5743c54fe4538b8b4a58ed66b63fee7a353568b50108ed13e143b351bc0

    • C:\Users\Admin\AppData\Local\AdobeFontPack\main.dll

      Filesize

      401KB

      MD5

      8f4c28685a3373241bec9af4bf6a6a3e

      SHA1

      b17610603b063aff1f48bfcaba4f4d4a25579eef

      SHA256

      7efb8b4ac75560f1f21db9c1a77b2199921f53d74c3d4d6318852cfcdebc066a

      SHA512

      f9a3cc700320f069d7bdfd7ed49c576757974a328d254a2a28976d226354ee8bb2020d186766a1c4503e3f1a1a6e10fc8ff59995fe97cbc3abbd1ed868a1d4a6

    • C:\Users\Admin\AppData\Local\AdobeFontPack\notify.vbs

      Filesize

      68B

      MD5

      0308aa2c8dab8a69de41f5d16679bb9b

      SHA1

      c6827bf44a433ff086e787653361859d6f6e2fb3

      SHA256

      0a7e8fd68575db5f84c18b9a26e4058323d1357e2a29a5b12278e4bfa6939489

      SHA512

      1a1ca92e3c8d52c8b5adbb3117a88d8a2a8c33eaf2f7b0d620fe006653f57f4ba0b803884616594ca31e13a1b0b59ddae52cecf044621ec44371084dac6beb72

    • \Users\Admin\AppData\Local\AdobeFontPack\main.dll

      Filesize

      401KB

      MD5

      8f4c28685a3373241bec9af4bf6a6a3e

      SHA1

      b17610603b063aff1f48bfcaba4f4d4a25579eef

      SHA256

      7efb8b4ac75560f1f21db9c1a77b2199921f53d74c3d4d6318852cfcdebc066a

      SHA512

      f9a3cc700320f069d7bdfd7ed49c576757974a328d254a2a28976d226354ee8bb2020d186766a1c4503e3f1a1a6e10fc8ff59995fe97cbc3abbd1ed868a1d4a6

    • memory/1484-65-0x0000000075501000-0x0000000075503000-memory.dmp

      Filesize

      8KB

    • memory/1500-54-0x000007FEFBED1000-0x000007FEFBED3000-memory.dmp

      Filesize

      8KB